EMS/SCADA cyber security:
IEC 62443 for industrial BESS
BESS is not just a battery, but a cyber-physical system: dozens of controllers, EMS, BMS, inverters of PCS, remote monitoring and communication channels of SCADA and, increasingly, of VPP market platforms. Each of these elements is a potential attack vector. A compromised EMS can not only stop the operation of the drive, but also create an emergency mode at the critical infrastructure facility. In 2026, operational technology (OT) cybersecurity has ceased to be an “option for the paranoid” and has become a requirement for bankability and insurance. In this material, how the IEC 62443 standard protects industrial BESS.
"It is not the 'battery' that is under attack, but its brain - the EMS and the control channels. BESS security is not an antivirus, but an architecture: segmentation, trust levels and control of each connection." — OT Security, BESS Ukraine.
Why BESS is a target for cyber attack
Modern industrial BESS is deeply integrated into the digital infrastructure of the enterprise and power system. It is this connectivity that gives advantages (remote monitoring, participation in markets, predictive optimization) and creates an attack surface. Understanding the vectors is the first step to protection.
EMS / controller
The central "brain" of charge-discharge control. Compromise = full control over system behavior.
Remote access
Cloud monitoring and service VPN channels are convenient for engineers, attractive for attackers.
SCADA protocols
Modbus TCP and other industrial protocols have historically been designed without encryption or authentication.
Supply chain
Inverter firmware, BMS and third-party software — the risk of “bookmarks” and vulnerabilities in components.
What the IEC 62443 standard gives
IEC 62443 is an international standard for cyber security of industrial automation and control systems (IACS). Unlike "office" IT security, it takes into account the specifics of OT: the priority of availability and process security over privacy, long life cycles of equipment, real time. The key concept is Security Levels (SL) and dividing the system into zones & conduits.
| Level | Who is he protecting from? | An example of a threat |
|---|---|---|
| SL 1 | Accidental / unintentional actions | Staff error, crash |
| SL 2 | Deliberate, simple means | Low-skilled attacker, typical tools |
| SL 3 | Deliberate, special means | Prepared attack, knowledge of IACS systems |
| SL 4 | Deliberate, significant resources | Targeted attack on critical infrastructure |
The target level of SL is chosen according to the criticality of the object: for a commercial Retail object, one level is enough, for a hospital, water supply or an object operating in the auxiliary services market, the requirements are significantly higher.
Architecture of a secure BESS
Security according to IEC 62443 is not based on one "magical" tool, but on the principle of echeloned defense (defense in depth): several independent levels of protection, each of which deters an attack, even if the previous one has been passed.
- Network segmentation (zones & conduits): division into trust zones — battery level, management level, monitoring, corporate network — of controlled channels between them.
- Access control: role authentication, rejection of shared passwords, principle of least privileges for operators and service.
- Protected channels: encryption and authentication of remote access, VPN of strict control, rejection of "naked" protocols where possible.
- Monitoring and response: logging of events, detection of anomalies in control traffic, notification of personnel on duty.
- Lifecycle Safety: managed firmware update, supply chain component validation, incident response plan.
OT vs IT security priorities
This is a fundamental difference from office IT: in OT, it is not permissible to "turn off" the system for the sake of data security, because the stoppage of BESS at a critical object is itself an incident. Therefore, the protection is designed so as not to sacrifice the availability and security of the process.
Why it affects money
BESS cyber security is not only a technical issue, but also a financial one. Banks and donors consider cyber risks when assessing project bankability. Insurance companies look at the availability of appropriate measures when determining the premium and terms of coverage. And for critical infrastructure facilities, the requirements for OT protection may be regulatory. It is cheaper to include IEC 62443 in the project at the start than to "screw" security to an already working system.
Planning a BESS at a critical facility or want to test the cyber resilience of an existing system? Let's discuss IEC 62443 security architecture - click the button below.
Frequently Asked Questions
Can BESS really be hacked through a cyber attack?
What is IEC 62443 and how does it differ from conventional IT security?
What Security Level (SL) is required for my BESS?
Does cyber security affect BESS insurance and funding?
Is it cheaper to start with cybersecurity or add it later?
Cyber resilience audit
We will assess the threat vectors of your BESS and design a protection architecture according to IEC 62443.